That's a very long list of questions. Have you read through our
documentation? I would hope it at least answers some of these questions. If
not then breaking this list into smaller emails would make it easier to
answer. Answering all these questions in one go is a fairly time consuming
On 16 March 2016 at 22:35, John Dennis <jdennis(a)redhat.com> wrote:
I would appreciate having the following Keycloak concepts
explained. Many thanks in advance!
* What are the predefined clients?
- When, why and where are you supposed to use these predefined
* What is the difference between realm roles and client roles?
- Why are realm roles and client roles distinct?
- How do they get assigned and for what purpose?
- Why aren't roles always visible in the Web UI? For instance
the available roles drop down box is often unpopulated even
though they seem to be predefined in the source code. Why
aren't they available for assignment in the Web UI?
* How does role mapping work?
- What is being mapped from and being mapped to?
- What is the intended usage for these mappings?
* What does it mean to create a role in the Web UI? What is it
- How do roles created in the Web UI relate to the predefined
- Why does the Web UI allow me to create a new role with the
same name as a predefined role? Are they the same role or is
there a collision?
* What are effective roles?
- How are effective roles computed?
- In the Web UI I see lists for "Available Roles", "Assigned
Roles" and "Effective Roles". Sometimes I see a role in the
"Effective Roles" list which is not in the "Assigned Roles"
list. How and why does this happen?
* What are composite roles?
- How and where are they defined?
- How are composite roles meant to be used?
- When looking at a list of roles in the Web UI how does one
identify a single role from a composite role?
* What is the relationship between a Keycloak role and an OAuth2
* Are roles related to users in any fashion or is a role bound
exclusively to a client (appearing only in the client's token).
- How do you authenticate as a user and acquire specific roles?
- Is it because a user grants a role via an OAuth scope which
is then conveyed in the client token?)
- If so how is it determined what roles a user is permitted to
- For example how is an admin user created? How are the fine
grained admin roles bound to a user and how are these roles
then conveyed in the token after an admin user authenticates?
(see next question)
* The ClientRegistrationAuth.requireCreate() method requires the
bearer token from the realm administrator to have the
AdminRoles.MANAGE_CLIENTS or AdminRoles.CREATE_CLIENT roles in
the token, specifically in the resource_access part of the
token, but no matter what I do to add roles in the Web UI to a
realm admin the token roles remain unpopulated. How do these
roles get assigned and propagated in the token?
* How does a client differ from an application?
- They seem to be closely related. How, why and when do you use
one vs. the other?
- The name "application" suggests they are external
applications which might be secured by Keycloak but that
doesn't seem to be the case, rather applications seem to be
internal Keycloak entities. Are applications called
applications because they are implemented as as servlets in
- If so, is the reason applications are servlets is so their
endpoints can have their own authn and authz?
* What are adapters?
* What is a service account?
- How is a service account supposed to be used and for what
- How is a service account created?
- How is a service account authenticated?
* How does OAuth2 client authentication work in Keycloak?
- Are public clients authenticated? The OAuth2 spec talks a lot
about the server authenticating the client but if the client
is a public client it's not clear to me how this is done. How
are public clients authenticated?
keycloak-dev mailing list